Regulatory Reality

I’m returning to the office after having given in to the siren song of Memorial Day weekend. Despite enjoying the long break and all its trappings (way too much I might add), something that hit my radar last week remained on my mind.

Earlier in the week, I came across a comment in an IT audit report in which the auditor recommended that the institution for which the report was written plan to conduct a test of their pandemic policy. Before I continue, I need to come clean and admit that all auditors, myself included, are typically allowed a wide swath when writing our reports because while we stick to a somewhat standard approach to testing, our experiences and opinions heavily influence our findings and recommendations. However, I found this comment to be way too granular and oddly specific. First of all it would be the company’s pandemic procedure that would be tested, not its policy. While this may seem trivial I can show you the scars I’ve received at the hands of auditees when confusing such terms. Policy is how management specifies what needs to be done and procedure is how the organization gets things done; an audit confirms there are procedures in place to support the policy, that those procedures are sufficient to address the underlying risks, and that they’re being followed. My second issue with the recommendation is that the part of the overall business continuity plan (BCP) that addresses a possible pandemic scenario is only a subset. You might recommend that a test of the overall plan be conducted but it’s a bit unusual to specify which parts should be included.

You may recall all the hysteria just about a year ago courtesy of the H1N1 (swine) flu epidemic that had everyone on edge for most of the late spring and early summer. In the end, the numbers didn’t really reveal a remarkable increase in the number of flu cases reported year-over-year, only a shocking increase in the amount of media coverage it received. But one of the residual effects was an increased awareness in how a financial institution would manage through a quarantine situation. While there is real value to be derived from the planning for such an event, the bottom line is that most banks and credit unions are far more likely to confront evacuations and shut-downs due to fire, extreme weather or loss of services (e.g. electricity, heat/cooling, etc.). When you consider that it’s challenging enough for small and midsize institutions to conduct any form of testing, you’d want them to focus on their greatest and most likely risks. A quarantine situation, should one ever actually occur, would likely develop over a period of days and allow for a controlled transition from normal to reduced operations. I’m just not sure that beyond covering the pandemic response plan as part of the annual training curriculum that there’s much value in conducting either a table-top or off-hours test. It just doesn’t seem like good use of an already constrained staff. For so many of my clients, there’s so little time to get everything done that they can ill afford to focus on the wrong things. Perhaps a better recommendation would have been that the institution vary the parts of the plan they test each year, beginning with the pandemic section first.

At some point during the past year, it occurred to me that the difference between panic and pandemic was but a few extra letters. It reminded me of a bit that Kevin Nealon did on Saturday Night Live years ago with subliminal messages and I’ve thought since then that might explain all the hoopla. Because if you move past the Hollywood hype that usually fuels our fear and and think about it in practical terms, it’s just not that scary. We have ATMs for cash and deposits, and online banking for statements, bill pay and account transfers (I can’t recall one single bank or credit union that doesn’t offer these services). We have remote, encrypted connectivity from home for critical staff (not all of my clients make it available but the vast majority do) and most branches have drive-throughs, which further reduce the risk of exposure to airborne disease.

As I advised one BCP client recently, the annual pandemic test should consist primarily of making sure that the surgical masks and anti-bacterial soap are readily available.

I agree to TechTarget's Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

The FFIEC IT BCP handbook has a special portion relating to pandemics. By your post I can clearly see that you do not have knowledge about pandemic planning. I would suggest to any of your clients that they contact a Business continuity planner to create a specific pandemic plan. This is a requirement of the FFIEC.
What you are suggesting to your clients “annual pandemic test should consist primarily of making sure that the surgical masks and anti-bacterial soap are readily available.” is in no way a pandemic exercise “test”. A test would normally be done through a well executed a thoroughly planned tabletop. Masks and soap would not be sufficient for a highly deadly pandemic. Look into the 1918 influenza pandemic of H5N1 Avian flu.
As a planner that mobilized a pandemic plan during the H1N1 outbreak in Mexico city when the city was shut down, there is much more to pandemic planning and testing than you seem to realize.

Ginnar,
Sorry for the delay in addressing your comment.
I actually have fairly extensive knowledge of BCP's and its many components. While for the larger institutions I've worked with/for over the years their needs may be a bit more extensive the majority of small and mid-sized institutions I typically work with are much better equipped to manage through a Pandemic event with minimal effort. And while I've had plans I've designed used to effectively manage through a variety of disruptions I've been fortunate that no one has had to activate the pandemic component. Just the same I'm confidant that what I've designed would work because it's based on equal parts common sense and experience and adjusted to fit the size and complexity of the institution.
Tell me how comprehensive of a pandemic plan a four branch bank should have? They know what critical services need to be staffed and by whom, know how to communicate effectively with their customers and have successfully tested to make certain that all staff have ready access to the plan - what more should they test?
David Schneier

I agree to TechTarget's Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Processing your reply...

About This Blog

Find out how financial service firms from the smallest credit union to the largest insurers are building out their compliance frameworks. Learn what examiners are looking for, what they are saying and what’s going into their reports. Hear about how your peers are solving problems similar to yours.